According to statistics from Bkav's virus surveillance system, more than 35,000 smartphones in Vietnam were infected with GhostTeam virus that stole Facebook passwords (by January 25, 2018). This malware leveraged a variety of Vietnamese popular apps on Google Play to spread. Bkav advises users conduct a virus scan and immediately change their Facebook account passwords if they detect that their smartphone was infected.
The vector was quite sophisticated. First, hackers distributed "clean" and popular apps such as calendar, flashlight, compass, etc on Google Play for users to install. Once installed, this app would automatically download another malicious application. To deceive the victim, the "clean" application would display such security warnings as smartphone infected with malware or smartphone slowing down, etc accompanied by solution instructions. These were indeed fake warnings, and by following the phone would be infected with virus. The virus would take control of smartphone and steal user’s Facebook account password.
Mr. Vu Ngoc Son, Bkav Vice President of Anti Malware, said: "The way by which hackers use a clean application on Google Play as a vector to infect malware makes it very difficult for users to take precautions. In this case, the only way is to install anti-virus software to be protected automatically”.
By now, Google Play has removed these Vietnamese applications, so the number of smartphones infected with GhostTeam virus has not increased dramatically. However, with phones that previously installed the apps, there is a risk of losing Facebook password. Bkav Mobile Security has updated all the variants of this virus. After checking and detecting the phone infected with virus, users need to immediately change Facebook account password.